Vulnerabilities > Mediawiki > High

DATE CVE VULNERABILITY TITLE RISK
2018-04-13 CVE-2017-0362 Cross-Site Request Forgery (CSRF) vulnerability in multiple products
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw where the "Mark all pages visited" on the watchlist does not require a CSRF token.
network
low complexity
mediawiki debian CWE-352
8.8
2018-04-13 CVE-2017-0361 Information Exposure vulnerability in multiple products
Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains an information disclosure flaw, where the api.log might contain passwords in plaintext.
local
low complexity
mediawiki debian CWE-200
7.8
2017-12-29 CVE-2015-8008 Improper Access Control vulnerability in multiple products
The OAuth extension for MediaWiki improperly negotiates a new client token only over Special:OAuth/initiate, which allows attackers to bypass intended IP address access restrictions by making an API request with an existing token.
network
low complexity
mediawiki fedoraproject CWE-284
7.5
2017-11-15 CVE-2017-8815 Improper Input Validation vulnerability in multiple products
The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attribute injection attacks via glossary rules.
network
low complexity
mediawiki debian CWE-20
7.5
2017-11-15 CVE-2017-8814 Improper Input Validation vulnerability in multiple products
The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attackers to replace text inside tags via a rule definition followed by "a lot of junk."
network
low complexity
mediawiki debian CWE-20
7.5
2017-11-15 CVE-2017-8810 Information Exposure vulnerability in multiple products
MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2, when a private wiki is configured, provides different error messages for failed login attempts depending on whether the username exists, which allows remote attackers to enumerate account names and conduct brute-force attacks via a series of requests.
network
low complexity
mediawiki debian CWE-200
7.5
2017-10-19 CVE-2012-4380 Improper Access Control vulnerability in Mediawiki
MediaWiki before 1.18.5, and 1.19.x before 1.19.2 allows remote attackers to bypass GlobalBlocking extension IP address blocking and create an account via unspecified vectors.
network
low complexity
mediawiki CWE-284
7.5
2017-04-20 CVE-2016-6337 Improper Access Control vulnerability in Mediawiki 1.27.0
MediaWiki 1.27.x before 1.27.1 might allow remote attackers to bypass intended session access restrictions by leveraging a call to the UserGetRights function after Session::getAllowedUserRights.
network
low complexity
mediawiki CWE-284
7.5
2017-04-20 CVE-2016-6335 Information Exposure vulnerability in Mediawiki
MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 does not generate head items in the context of a given title, which allows remote attackers to obtain sensitive information via a parse action to api.php.
network
low complexity
mediawiki CWE-200
7.5
2017-04-20 CVE-2016-6332 Information Exposure vulnerability in Mediawiki
MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1, when $wgBlockDisablesLogin is true, might allow remote attackers to obtain sensitive information by leveraging failure to terminate sessions when a user account is blocked.
network
low complexity
mediawiki CWE-200
7.5